Radio LAN access authentication system

ABSTRACT

A wireless LAN access authentication system capable of shortening the time required for an access authentication procedure of a radio terminal apparatus. In this wireless LAN access authentication system, when a radio terminal apparatus  116  of a user who has sent an access request is already registered through initial access, a gateway apparatus  111  searches for a WEP key assigned to the radio terminal apparatus  116  through a WEP key control section  306  and redistributes the WEP key registered beforehand to a new access point section  124  in the destination area and the radio terminal apparatus  116 . The radio terminal apparatus  116  and access point section  124  to which the WEP key has been distributed encrypt transmission/reception data in a predetermined radio section using the redistributed WEP key and carry out a communication.

TECHNICAL FIELD

The present invention relates to a wireless LAN access authenticationsystem which carries out access authentication of a radio terminalapparatus transmitting/receiving a radio signal, and more particularly,to a wireless LAN access authentication system in a network system whichintegrates a plurality of wireless LAN network systems having at leasttwo access point sections accessed by the radio terminal apparatusthrough a radio section transmitting the radio signal.

BACKGROUND ART

A wireless LAN network system using a wireless LAN standard such asIEEE802.11b is operated in a local area network system at an office orcompany, etc., and a public network system in recent years.

In such a wireless LAN network system, the radio terminal apparatus isauthenticated using an ESSID or MAC address and then the radio signaltransmitted through the radio section is encrypted by means of WEP(Wired Equivalent Protocol).

However, security vulnerability is pointed out in the case of suchaccess authentication of the radio terminal apparatus and encryption ofthe radio signal. For this reason, such a network system is beingconstructed recently that carries out encryption of the radio signalusing devices supporting access authentication and a dynamicdistribution of WEP keys of the radio terminal apparatus by a RADIUS(Remote Authentication Dial-In User Service) server using IEEE802.1X(EAP: Extensible Authentication Protocol).

On the other hand, with the widespread use of such a network system,there is a growing necessity for the radio terminal apparatus to achievethe handover smoothly between a plurality of network systems in order torealize a more comfortable communication for the user who uses thenetwork system.

As a conventional communication scheme for realizing this handover speedenhancement, there is a proposal on a scheme which creates an accessauthenticated state of the radio terminal apparatus beforehand at anaccess point section to which the user's radio terminal apparatus islikely to carry out handover and eliminates the necessity of accessauthentication for the access point section during the handover of theradio terminal apparatus (e.g., see “A study for a speedy handover in aradio Local Area Network” 2003 Institute of Electronics, Information andCommunication Engineers General Assembly B-6-194).

This conventional communication scheme executes the followingoperations:

(1) According to this communication scheme, normal access authenticationis realized between the user's radio terminal apparatus and anauthentication server which performs access authentication of the radioterminal apparatus when the user's radio terminal apparatus firstly logsinto the access point section.(2) The access point section into which the user's radio terminalapparatus has logged and the authentication server will keep acertificate (session key) at the time of access authentication as anauthentication header which will be used for communications by theuser's radio terminal apparatus thereafter.(3) The authentication server searches for an access point section towhich the user's radio terminal apparatus is likely to carry outhandover from geographic information of the access point section keptbeforehand and distributes the session key to the corresponding accesspoint section.(4) The nearby access point section to which the user's radio terminalapparatus is likely to carry out handover keeps the session key notifiedfrom the authentication server.(5) When the radio terminal apparatus carries out handover, the accesspoint section which communicates with the user's radio terminalapparatus allows a communication when the session key kept by the accesspoint section matches the session key kept by the radio terminalapparatus.(6) The access point section which has detected a packet communicationfrom the user's radio terminal apparatus for the first time notifies theauthentication server of the login of the user's radio terminalapparatus.(7) The authentication server notifies the access point section in thecommunication area into which the user's radio terminal apparatus hasnewly entered of the session key and requests the access point sectionwhich has gone out of the communication area to release the session key.

This communication scheme eliminates the necessity for accessauthentication for the access point section to which the user's radioterminal apparatus is likely to carry out handover and enables immediatecommunication between the radio terminal apparatus and the access point.

As the wireless LAN network system, a network system which integrates,for example, an in-house wireless LAN network system and a publicwireless LAN network system and provides a continuous seamlesscommunication service for the radio terminal apparatus which movesacross these network systems is attracting attention. A possible mode ofsuch a network system integrating a plurality of wireless LAN networksystems is a network system which places the authentication server at acenter station communicating with the plurality of wireless LAN networksystems and controls the radio terminal apparatus in a centralizedmanner.

Here, a case where in a network system in which the center stationcontrols the radio terminal apparatus in a centralized manner, the radioterminal apparatus moves across the plurality of wireless LAN networksystems carrying out handover to a new access point section will beconsidered.

In this case, a wireless LAN access authentication system using thecurrent IEEE802.1X needs to exchange an authentication number(authentication signal) between the radio terminal apparatus and theauthentication server of the center station every time the access pointsection accessed by the radio terminal apparatus is changed.

For this reason, the conventional wireless LAN access authenticationsystem has a problem that procedures for access authentication of theradio terminal apparatus and an access authentication carried outaccompanying the distribution of a WEP key which is a cryptographic keyfor encrypting a radio signal transmitted through the radio sectionresult in an increase in the time necessary for handover of the radioterminal apparatus, causing a packet loss.

Moreover, the conventional wireless LAN access authentication system hasa problem that due to the exchange of the authentication signal betweenthe radio terminal apparatus and the center station carried out everytime the radio terminal apparatus moves across a plurality of accesspoint sections, the proportion of a control signal such as theauthentication signal in the transmission path between the centerstation and each of the wireless LAN network system increases,preventing effective utilization of frequency bands in the transmissionpath.

The aforementioned communication scheme (see “A study for a speedyhandover in a radio Local Area Network” 2003 Institute of Electronics,Information and Communication Engineers General Assembly B-6-194) isintended to solve such a problem.

However, as described above, it is difficult to apply the communicationscheme to a large-scale network system which integrates the plurality ofwireless LAN network systems and controls user IDs and the WEP keys,etc., used for access authentication of the radio terminal apparatus bythe center station in a centralized manner.

That is, when the communication scheme is applied to a large-scalenetwork system in which the user IDs and the WEP keys, etc., arecontrolled by the center station in a centralized manner, it isnecessary to distribute the WEP keys to an access point section neareach wireless LAN network system every time the radio terminal apparatusmoves so that the radio terminal apparatus can move across the pluralityof wireless LAN network systems seamlessly.

For this reason, even when the communication scheme is adopted, such alarge-scale network system still needs to frequently exchange controlsignals such as the authentication signal through the transmission pathbetween the center station and each of the plurality of wireless LANnetwork systems.

Furthermore, in the communication scheme, the authentication server ofthe center station needs to control position information of the radioterminal apparatus and geographic information of each access pointsection of the wireless LAN network system. However, the authenticationserver of the center station performing such control of geographicinformation of each access point section leads to a further increase ofload on the authentication server.

For the above described reasons, it is extremely difficult for theaforementioned large-scale network system integrating a plurality ofwireless LAN network systems to apply the communication scheme.

DISCLOSURE OF THE INVENTION

It is an object of the present invention to provide a wireless LANaccess authentication system capable of reducing the time required for aprocedure of access authentication of a radio terminal apparatus in anetwork system in which a center station integrates and controls aplurality of wireless LAN network systems in a centralized manner andreducing the number of control signals such as authentication signalsbetween the center station and each of the wireless LAN network systems.

In order to attain the above described object, the wireless LAN accessauthentication system of the present invention is a wireless LAN accessauthentication system in a network system, comprising a plurality ofwireless LAN network systems and a center station that controls theplurality of wireless LAN network systems in a centralized manner, eachof the plurality of wireless LAN network systems comprising at least twoaccess point sections accessed by a radio terminal apparatus thattransmits/receives a radio signal through a radio section and a gatewayapparatus which relays transmission/reception of data signals andcontrol signals between the access point sections, and the centerstation comprising a center station gateway apparatus that relaystransmission/reception of data signals and control signals between thegateway apparatuses of the plurality of wireless LAN network systems andan authentication server that performs access authentication of theradio terminal apparatus which has accessed the access point sectionsand distributes cryptographic keys used for encryption of a radiosection through which the access-authenticated radio terminal apparatuscarries out communication to the radio terminal apparatus and the accesspoint section, the wireless LAN access authentication system comprisingan access control section provided for each of the plurality of wirelessLAN network systems for controlling the situation of access of the radioterminal apparatus in the own communication area to the authenticationserver and checking the presence/absence of access of the radio terminalapparatus to the authentication server when the radio terminal apparatusmoves to a communication area of a new access point section and acryptographic key control section provided for each of the plurality ofwireless LAN network systems for controlling cryptographic keysdistributed from the authentication server and distributing, when theaccess control section confirms that the radio terminal apparatus whichhas moved to the communication area of the other access point sectionhas already accessed the authentication server, the cryptographic keyfor the radio section through which the radio terminal apparatus carriesout communication to the radio terminal apparatus and the new accesspoint section to which the radio terminal apparatus has moved.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic block diagram showing a configuration of awireless LAN access authentication system according to Embodiment 1 ofthe present invention;

FIG. 2 is a sequence diagram showing the operation of accessauthentication in the wireless LAN access authentication systemaccording to Embodiment 1 of the present invention;

FIG. 3 is a block diagram showing a configuration of a gateway apparatusof each wireless LAN network system used in the wireless LAN accessauthentication system according to Embodiment 1 of the presentinvention;

FIG. 4 is a sequence diagram showing the operation of accessauthentication when a radio terminal apparatus moves in the wireless LANaccess authentication system according to Embodiment 1 of the presentinvention;

FIG. 5 is a block diagram showing a configuration of a gateway apparatusof each wireless LAN network system used in a wireless LAN accessauthentication system according to Embodiment 2 of the presentinvention;

FIG. 6 is a sequence diagram showing the operation of accessauthentication when a radio terminal apparatus moves in the wireless LANaccess authentication system according to Embodiment 2 of the presentinvention;

FIG. 7 is a block diagram showing a configuration of a radio terminalapparatus used in a wireless LAN access authentication system accordingto Embodiment 3 of the present invention; and

FIG. 8 is a block diagram showing another configuration of a radioterminal apparatus used in the wireless LAN access authentication systemaccording to Embodiment 3 of the present invention.

BEST MODE FOR CARRYING OUT THE INVENTION

An essence of the present invention is to control the situation ofaccess of a radio terminal apparatus to an authentication server of acenter station which integrates a plurality of wireless LAN networksystems through an access control section of each of the wireless LANnetwork systems and distribute, when it is confirmed that the radioterminal apparatus which has moved to a communication area of a newaccess point section has already accessed the authentication server, acryptographic key of the radio section to the radio terminal apparatusand the new access point section in the area to which the radio terminalapparatus has moved through a cryptographic key control section of eachwireless LAN network system.

With reference now to the attached drawings, embodiments of the presentinvention will be explained in detail below. The following explanationswill describe a network system which integrates an in-house wireless LANnetwork system and public wireless LAN network system as an example ofthe wireless LAN network system.

(Embodiment 1)

FIG. 1 is a schematic block diagram showing a configuration of a networksystem using a wireless LAN access authentication system according toEmbodiment 1 of the present invention. As shown in FIG. 1, this networksystem comprises a center station 100, a head office wireless LANnetwork system 110, a branch office wireless LAN network system 120 anda public wireless LAN network system 130.

In FIG. 1, the center station 100 controls the head office wireless LANnetwork system 110, the branch office wireless LAN network system 120and public wireless LAN network system 130 in a centralized manner.Furthermore, the center station 100 comprises a center station gatewayapparatus 101 and an authentication server 102.

On the other hand, the head office wireless LAN network system 110comprises a head office gateway apparatus 111 and head office accesspoint sections 112, 113, 114. This head office wireless LAN networksystem 110 carries out communications using radio terminal apparatuses115, 116 such as a notebook personal computer, PDA and cellular phoneset.

Furthermore, the branch office wireless LAN network system 120 comprisesa branch office gateway apparatus 121 and branch office access pointsections 122, 123, 124. This branch office wireless LAN network system120 carries out communications using radio terminal apparatuses 125, 126such as a notebook personal computer, PDA and cellular phone set.

Furthermore, the public wireless LAN network system 130 comprises apublic gateway apparatus 131 and public access point sections 132, 133,134. This public wireless LAN network system 130 carries outcommunications using radio terminal apparatuses 135, 136 such as anotebook personal computer, PDA and cellular phone set.

Next, the operation of each apparatus constituting a network systemusing a wireless LAN access authentication system according to thisEmbodiment 1 will be explained using a sequence diagram shown in FIG. 2.

In FIG. 2, when a radio terminal apparatus (here, suppose the radioterminal apparatus 116) accesses the head office wireless LAN networksystem 110, branch office wireless LAN network system 120 or publicwireless LAN network system 130 for the first time, the radio terminalapparatus sends an access request to a desired access point section(here, suppose the head office access point section 114). After theaccess to the head office access point section 114 is completed througha radio section, the access of this radio terminal apparatus 116 isauthenticated using a predetermined authentication procedure.

This authentication procedure is carried out by the radio terminalapparatus 116 accessing the authentication server 102 in the centerstation 100 through the head office gateway apparatus 111 of the headoffice wireless LAN network system 110 and the center station gatewayapparatus 101 of the center station 100 based on the IEEE802.1Xprotocol.

In this authentication procedure, as shown in FIG. 2, the head officeaccess point section 114 requests Identity from the radio terminalapparatus 116 which has sent an access request to the head office accesspoint section 114. In response to the request for the Identity, theradio terminal apparatus 116 sends a response signal including the userID of the user of the radio terminal apparatus 116 to the head officeaccess point section 114. The head office access point section 114 whichhas received the response signal sends an authentication signal foraccess authentication of the radio terminal apparatus 116 to the headoffice gateway apparatus 111.

Here, a case where the radio terminal apparatus 116 in the head officewireless LAN network system 110 accesses the authentication server 102of the center station 100 through the head office access point section114 has been explained, but similar operations will also be performedfor other radio terminal apparatuses.

The gateway apparatuses 111, 121, 131 located in the wireless LANnetwork systems 110, 120, 130 of the network system using the wirelessLAN access authentication system according to Embodiment 1 have thefollowing configurations.

FIG. 3 is a block diagram showing a gateway apparatus having aconfiguration common to the gateway apparatuses 111, 121, 131.

As shown in FIG. 3, each of the gateway apparatuses 111, 121, 131 isprovided with a data transmission/reception section 301, a switchingsection 302, a switching section 303, a data transmission/receptionsection 304, a user access control section 305 and a WEP key controlsection 306.

Here, the data transmission/reception section 301 transmits/receivesdata to/from an access point section with which it communicates. Theswitching section 302 selects a transmission path for the datatransmission/reception section 301. The switching section 303 selects atransmission path for the data transmission/reception section 304. Thedata transmission/reception section 304 transmits/receives data to/fromthe center station gateway apparatus with which it communicates. Theuser access control section 305 controls the access situation of eachradio terminal apparatus with which it communicates. The WEP key controlsection 306 controls cryptographic keys (WEP keys) distributed from theauthentication server 102 in association with the assigned radioterminal apparatuses.

The gateway apparatus (here, suppose the head office gateway apparatus111) checks the access situation of a radio terminal apparatus which hassent an access request (here, suppose the radio terminal apparatus 116)according to, for example, a response signal including the user ID sentfrom the access point section 114. Here, if the radio terminal apparatus116 which has sent the access request is a radio terminal apparatus ofinitial access which has accessed for the first time, the radio terminalapparatus 116 is registered as “no access” in the user access controlsection 305.

In the case of the initial access, the gateway apparatus 111 transfersthe response signal to the authentication server 102 through the centerstation gateway apparatus 101 of the center station 100 which performscentralized control.

The authentication server 102 which has received this response signalexchanges an authentication sequence with the radio terminal apparatus116 which has sent the access request through the center station gatewayapparatus 101, gateway apparatus 111 and access point section 114 toperform access authentication of the radio terminal apparatus 116 whichhas sent the access request.

Furthermore, when the access authentication of the radio terminalapparatus 116 which has sent the access request as described above iscompleted, the authentication server 102 distributes a WEP key which isa cryptographic key for encrypting transmission/reception data of theradio section to this radio terminal apparatus and each access pointsection. At this time, the gateway apparatus 111 registers the user IDof the radio terminal apparatus 116 whose access authentication has beencompleted in the user access control section 305 and controls the accesssituation of the radio terminal apparatus 116 whose accessauthentication has been completed.

On the other hand, the WEP key control section 306 associates thedistributed cryptographic key (WEP key) with the assigned radio terminalapparatus 116 and saves the WEP key of the radio terminal apparatus 116whose access authentication has been completed. The radio terminalapparatus 116 and access point section 114 to which the WEP key has beendistributed communicate transmission/reception data of the radio sectionencrypted using the WEP key.

Next, the operation of a radio terminal apparatus, which has beencarrying out communication via an access point section in a wireless LANnetwork system, and moves and carries out access authentication torealize a communication via an access point section in another wirelessLAN network system, will be explained.

FIG. 4 is a sequence diagram showing the operation in the case wheresuch a radio terminal apparatus moving across access point sectionscarries out access authentication. Here, suppose the wireless LANnetwork system is the head office wireless LAN network system 110 andthe access point section is the head office access point section 114.Furthermore, suppose the radio terminal apparatus is the radio terminalapparatus 116 and the access point section in the other wireless LANnetwork system is the access point section 124 of the branch officewireless LAN network system 120.

In FIG. 4, the moving radio terminal apparatus 116 detects a beacon(call sign and carrier) from the new access point section 124 in thedestination area, sends an access request to this new access pointsection 124 and carries out an access procedure of a predetermined radiosection.

When the access procedure is completed, this moving radio terminalapparatus 116 receives an Identity request from the new access pointsection 124 to carry out access authentication. In response to thisIdentity request, the radio terminal apparatus 116 sends a responsesignal including a user ID to the new access point section 124.

The access point section 124 which has received the response signalsends the response signal from the radio terminal apparatus 116 to thegateway apparatus 121. The gateway apparatus 121 checks the accesssituation of the radio terminal apparatus 116 of the user who sent theaccess request through the user access control section 305 based on theresponse signal including the user ID sent from the access point section124.

Here, if the radio terminal apparatus 116 of the user who sent theaccess request is already registered through the aforementioned initialaccess, the gateway apparatus 121 searches for the WEP key assigned tothe radio terminal apparatus 116 which sent the access request throughthe WEP key control section 306 and redistributes the WEP key registeredbeforehand to the new access point section 124 in the destination areaand the radio terminal apparatus 116 which sent the access request.

In this way, the radio terminal apparatus 116 and access point section124 to which the WEP key has been distributed communicatetransmission/reception data of a predetermined radio section encryptedusing the redistributed WEP key.

The user access control section 305 and WEP key control section 306control the access situation of the radio terminal apparatus andassigned WEP key, delete the registration corresponding to a radioterminal apparatus which has sent no access request for a certain time,to respond to the radio terminal apparatus when the apparatus turns offthe power or when the apparatus moves to another domain.

The wireless LAN access authentication system according to Embodiment 1provides the user access control section 305 and WEP key control section306 which control the access situation of the user's radio terminalapparatus and the WEP key for each of the gateway apparatuses 111, 121,131, but the user access control section 305 and WEP key control section306 may also be separated from the gateway apparatus and providedindependently of each of the wireless LAN network systems.

Thus, in the wireless LAN access authentication system according to thisEmbodiment 1, the gateway apparatuses 111, 121, 131 provided in eachwireless LAN network system can carry out access authentication anddistribute WEP keys when accessing a new access point section, and canthereby shorten the time required for an access authentication procedureaccompanying the movement of the radio terminal apparatus.

In this way, the wireless LAN access authentication system according toEmbodiment 1 can shorten the time required for handover when the radioterminal apparatus moves, drastically reduce the authenticationsignaling number between each wireless LAN network system and centerstation 100 and effectively use frequency bands in a transmission path.

(Embodiment 2)

Next, Embodiment 2 of the present invention will be explained in detailwith reference to the attached drawings.

The wireless LAN access authentication system according to Embodiment 2of the present invention has a function of counting an access time andcommunication packet amount of a radio terminal apparatus with which itcommunicates in addition to the wireless LAN access authenticationsystem according to Embodiment 1 of the present invention.

The wireless LAN access authentication system according to thisEmbodiment 2 requests the radio terminal apparatus for reauthenticationwith the authentication server 102 of the center station 100 anddistribution of a new cryptographic key when the access time of theradio terminal apparatus with which it communicates or a communicationpacket amount reaches a predetermined amount.

FIG. 5 shows a configuration of a gateway apparatus used in the wirelessLAN access authentication system according to this Embodiment 2. In thegateway apparatus used in the wireless LAN access authentication systemaccording to this Embodiment 2, the components having the same functionsas those of the gateway apparatus 300 shown in FIG. 3 are assigned thesame reference numerals and detailed explanations thereof will beomitted.

As shown in FIG. 5, a gateway apparatus 500 used in the wireless LANaccess authentication system according to this Embodiment 2 has a useraccess control section 501 instead of the user access control section305 in Embodiment 1 of the present invention. The user access controlsection 501 of this gateway apparatus 500 is provided with an accesstime control section 502 and communication packet amount control section503. The access time control section 502 counts an access time of eachradio terminal apparatus with which it communicates. Furthermore, thecommunication packet amount control section 503 counts a communicationpacket amount of each radio terminal apparatus with which itcommunicates.

Next, the operation up to reauthentication and redistribution of acryptographic key of the radio terminal apparatus of the wireless LANaccess authentication system according to this Embodiment 2 will beexplained. FIG. 6 is a sequence diagram showing the operation up toreauthentication and redistribution of acryptographic key of the radioterminal apparatus (here, suppose radio terminal apparatus 116) in thewireless LAN access authentication system according to this Embodiment2.

In FIG. 6, when access authentication between the radio terminalapparatus 116 which has sent an access request and authentication server102 is completed, the radio terminal apparatus 116 starts acommunication with a desired network system. Furthermore, simultaneouslywith this, the access time control section 502 and communication packetamount control section 503 of the gateway apparatus 500 start to countthe access time and packet amount of the radio terminal apparatus 116.

Here, for example, when the radio terminal apparatus 116 which iscarrying out communication via the access point section 114 moves andattempts to carry out communication via a new access point section 124,a cryptographic key (WEP key) controlled by the WEP key control section306 of the gateway apparatus 500 is redistributed to this moving radioterminal apparatus 116 and the new access point section 124 in thedestination area. In this way, the moving radio terminal apparatus 116carries out communication using the same cryptographic key as thecryptographic key distributed at the time of initial accessauthentication.

Then, when the access time or communication packet amount counted by theaccess time control section 502 or communication packet amount controlsection 503 of the gateway apparatus 500 reaches a predetermined amount,the gateway apparatus 500 notifies the accessing radio terminalapparatus 116 of a signal requesting the execution of a procedure forreauthentication and redistribution of a cryptographic key with theauthentication server 102 of the center station 100.

At this time, the registration content of the access situation of theuser's radio terminal apparatus 116 controlled by the user accesscontrol section 501 of the gateway apparatus 500 is changed to thecontent indicating that the reauthentication is necessary. Furthermore,the communication mode of this wireless LAN access authentication systemis changed to a mode in which the authentication signal sent from theradio terminal apparatus 116 is transferred to the authentication server102 of the center station 100.

In this way, when the radio terminal apparatus 116 which has receivedthe signal requesting the reauthentication and redistribution of thecryptographic key sends an authentication request signal to the accesspoint section 124, a series of authentication sequences shown in FIG. 6is started.

When a predetermined authentication procedure based on the IEEE802.1Xprotocol is completed, a new cryptographic key (WEP key) is distributedto the radio terminal apparatus 116 and new access point section 124 inthe destination area by the authentication server 102, and the radioterminal apparatus 116 and the new access point section 124 in thedestination area communicate transmission data encrypted using a newcryptographic key.

Furthermore, simultaneously with this, the gateway apparatus 500 saves anew cryptographic key through the WEP key control section 306 and startscounting the access time and packet amount of the radio terminalapparatus 116 through the access time control section 502 andcommunication packet amount control section 503.

In this way, in the wireless LAN access authentication system accordingto this Embodiment 2, the access time control section 502 andcommunication packet amount control section 503 of the gateway apparatus500 control the access time and packet amount of the radio terminalapparatus 116.

Then, when the access time or communication packet amount of theaccessing radio terminal apparatus 116 reaches a predetermined amount,this radio terminal apparatus 116 is requested to carry out theprocedure for reauthentication of access authentication andredistribution of the cryptographic key with the authentication server102 of the center station 100.

Therefore, according to the wireless LAN access authentication systemaccording to this Embodiment 2, the cryptographic key (WEP key) usedbetween this radio terminal apparatus and the access point section ofthe radio terminal apparatus is updated every time the access time orcommunication packet amount of the accessing radio terminal apparatusreaches a predetermined amount, thus preventing illegal access by aspoofed radio terminal apparatus through decryption of the WEP key, etc.

(Embodiment 3)

Next, Embodiment 3 of the present invention will be explained in detailwith reference to the attached drawings.

In the wireless LAN access authentication system according to Embodiment3 of the present invention, each radio terminal apparatus is providedwith an SIM (Subscriber Identity Module) card as an information cardwhich records ID information used when access of the radio terminalapparatus is authenticated by the authentication server 102 of thecenter station 100, extracts a user ID used for the aforementionedaccess authentication from within this SIM card and carries out anaccess authentication procedure.

FIG. 7 is a block diagram showing the configuration of a radio terminalapparatus used in the wireless LAN access authentication systemaccording to this Embodiment 3. As shown in FIG. 7, this radio terminalapparatus 700 is provided with a wireless LAN I/F (access interface forwireless LAN) 701, an SIM card 702, an EAP client 703 and a WEP client704.

In this radio terminal apparatus 700, the EAP client 703 having theIEEE802.1x (EAP: Extensible Authentication Protocol) function exchangesan authentication signal with the authentication server 102 of thecenter station 100. Then, an IEEE802.1x sequence is executed using auser ID recorded in the SIM card 702.

The user ID recorded in the SIM card 702 is also registered in theauthentication server 102 of the center station 100. Furthermore, theradio terminal apparatus 700 performs encryption and decryption using acryptographic key assigned from the authentication server 102 afteraccess authentication by the WEP client 704.

FIG. 8 is a block diagram showing another configuration of the radioterminal apparatus used in the wireless LAN access authentication systemaccording to this Embodiment 3. As shown in FIG. 8, this radio terminalapparatus 800 is provided with a cellular wireless I/F 801 and acellular authentication client 802 in addition to the configuration ofthe radio terminal apparatus 700 shown in FIG. 7. That is, this radioterminal apparatus 800 is provided with the cellular wireless I/F 801which is a cellular wireless access interface in addition to thewireless LAN I/F 701 which is a wireless LAN access interface.

In this radio terminal apparatus 800, as shown in FIG. 8, the user IDrecorded in the SIM card 702 is given to the EAP client 703 and used foraccess authentication on the wireless LAN network system side.

Furthermore, in this radio terminal apparatus 800, the user ID recordedin the SIM card 702 is also given to the cellular authentication client802 which authenticates the cellular wireless network system side andalso used for access authentication on the cellular wireless networksystem side.

Here, the case where the user ID of the SIM card 702 mounted in theradio terminal apparatus 700 or radio terminal apparatus 800 is used foraccess authentication has been explained, but as the user informationused for access authentication, it is also possible to use userinformation recorded in, for example, a UIM (User Identity Module) cardmounted in a third-generation cellular phone set to perform a similarauthentication procedure.

According to the wireless LAN access authentication system according tothis Embodiment 3, even when the user changes the type of the radioterminal apparatus, the authentication ID at the time of accessauthentication of the user is prevented from being changed and it ispossible to control the user ID and billing on the user in a centralizedmanner and also unify access authentication and billing of both thecellular wireless network system and wireless LAN network system.

The wireless LAN access authentication system according to an embodimentof the present invention is a wireless LAN access authentication systemin a network system comprising a plurality of wireless LAN networksystems and a center station that controls the plurality of wireless LANnetwork systems in a centralized manner, each of the plurality ofwireless LAN network systems comprising at least two access pointsections accessed by a radio terminal apparatus that transmits/receivesa radio signal through a radio section and a gateway apparatus whichrelays transmission/reception of data signals and control signalsbetween the access point sections, the center station comprising acenter station gateway apparatus that relays transmission/reception ofdata signals and control signals between the gateway apparatuses of theplurality of wireless LAN network systems and an authentication serverthat performs access authentication on the radio terminal apparatuswhich has accessed the access point sections and distributescryptographic keys used for encryption of a radio section through whichthe access-authenticated radio terminal apparatus carries outcommunication to the radio terminal apparatus and the access pointsection, the wireless LAN access authentication system comprising anaccess control section provided for each of the plurality of wirelessLAN network systems for controlling the situation of access of the radioterminal apparatus in the own communication area to the authenticationserver and checking the presence/absence of access of the radio terminalapparatus to the authentication server when the radio terminal apparatusmoves to a communication area of a new access point section and acryptographic key control section provided for each of the plurality ofwireless LAN network systems for controlling cryptographic keysdistributed from the authentication server and distributing, when theaccess control section confirms that the radio terminal apparatus whichhas moved to the communication area of the other access point sectionhas already accessed the authentication server, the cryptographic keyfor the radio section through which the radio terminal apparatus carriesout communication to the radio terminal apparatus and the new accesspoint section in the area to which the radio terminal apparatus hasmoved.

In this configuration, when the radio terminal apparatus moves within apredetermined wireless LAN network, the access control section checksthe situation of access of the radio terminal apparatus to theauthentication server. When it is confirmed that this radio terminalapparatus has already accessed the authentication server, thecryptographic key control section distributes the cryptographic key tothe radio terminal apparatus and the new access point section in thearea to which the radio terminal apparatus has moved. The radio terminalapparatus which is confirmed to have already accessed the authenticationserver is granted access to a desired wireless LAN network withoutexchanging any authentication signal with the authentication server ofthe center station when the radio terminal apparatus moves to the newaccess point section. Thus, this configuration can shorten the timerequired for an authentication procedure for access authenticationaccompanying the movement of the radio terminal apparatus, facilitatehandover of the radio terminal apparatus to the new access pointsection, drastically reduce the number of control signals(authentication signaling number) between each of the wireless LANnetworks and the center station and realize effective utilization offrequency bands in a transmission path.

Furthermore, in the wireless LAN access authentication system accordingto another embodiment of the present invention, the access controlsection and the cryptographic key control section are arranged in thegateway apparatus.

According to this configuration, since the access control section andthe cryptographic key control section are arranged in each gatewayapparatus of each of the wireless LAN networks, it is possible tosimplify the configuration of each of the wireless LAN networks.

In the wireless LAN access authentication system according to a furtherembodiment of the present invention, the access control section includesa control section that controls at least one access amount of an accesstime or communication packet amount of the radio terminal apparatus andrequests the radio terminal apparatus for reauthentication when theaccess amount reaches a predetermined amount.

According to this configuration, the control section requests the radioterminal apparatus for reauthentication when the access amount reaches apredetermined amount, allowing the radio terminal apparatus to updatethe cryptographic key of the radio section of communication. Thus, thisconfiguration can prevent a spoofed radio terminal apparatus fromillegally accessing by decrypting the cryptographic key.

In the wireless LAN access authentication system according to a stillfurther embodiment of the present invention, the radio terminalapparatus is provided with an information card which records IDinformation and uses the ID information recorded in the information cardas an authentication ID at the time of access authentication of theradio terminal apparatus.

In this configuration, the ID information recorded in the informationcard (e.g., SIM card or UIM card) of the radio terminal apparatus isused as an authentication ID for access authentication of the radioterminal apparatus. Therefore, according to this configuration, it ispossible to prevent the authentication ID from being changed at the timeof access authentication of the user even when the user changes the typeof the radio terminal apparatus and control the user ID and billing onthe user in a centralized manner.

Furthermore, the wireless LAN access authentication method according toa still further embodiment of the present invention is a wireless LANaccess authentication method in a network system comprising a pluralityof wireless LAN network systems and a center station that controls theplurality of wireless LAN network systems in a centralized manner, eachof the plurality of wireless LAN network systems comprising at least twoaccess point sections accessed by a radio terminal apparatus thattransmits/receives a radio signal through a radio section and a gatewayapparatus which relays transmission/reception of data signals andcontrol signals between the access point sections, and the centerstation comprising a center station gateway apparatus that relaystransmission/reception of data signals and control signals between eachof the gateway apparatuses of the plurality of wireless LAN networksystems and an authentication server that performs access authenticationof the radio terminal apparatus accessed by the access point sectionsand distributes cryptographic keys used for encryption of a radiosection through which the access-authenticated radio terminal apparatuscarries out communication to the radio terminal apparatus and the accesspoint section, the wireless LAN access authentication method comprisingan access control step of controlling the situation of access of theradio terminal apparatus in each of the wireless LAN network systems tothe authentication server and checking the presence/absence of access ofthe radio terminal apparatus to the authentication server when the radioterminal apparatus moves to a communication area of a new access pointsection and a cryptographic key control step of controllingcryptographic keys distributed from the authentication server anddistributing, when it is confirmed in the access control step that theradio terminal apparatus which has moved to the communication area ofthe other access point section has already accessed the authenticationserver, the cryptographic key for the radio section through which theradio terminal apparatus carries out communication to the radio terminalapparatus and the new access point section in the area to which theradio terminal apparatus has moved.

According to this method, when the radio terminal apparatus moves withina predetermined wireless LAN network, the situation of access of theradio terminal apparatus to the authentication server is checked in theaccess control step. When it is confirmed that the radio terminalapparatus has already accessed the authentication server, thecryptographic key is distributed to the radio terminal apparatus and anew access point section in the area to which the radio terminalapparatus has moved in the cryptographic key control step. The radioterminal apparatus confirmed to have already accessed the authenticationserver in this way is granted access to a desired wireless LAN networkwhen moving to a new access point section without exchanging anyauthentication signal with the authentication server of the centerstation. Therefore, according to this configuration, it is possible toshorten the time required for an authentication procedure for accessauthentication accompanying the movement of the radio terminal apparatusFurthermore, this configuration allows the radio terminal apparatus tocarry out handover to a new access point section easily. Moreover, thisconfiguration can drastically reduce the number of control signals(authentication signaling number) such as authentication signals betweeneach of the wireless LAN networks and the center station. Furthermore,this configuration allows effective utilization of frequency bands in atransmission path to be realized.

Furthermore, the authentication server according to a still furtherembodiment of the present invention is an authentication server placedin a center station which carries out access authentication of a radioterminal apparatus in a wireless LAN access authentication system in anetwork system comprising a plurality of wireless LAN network systemsand a center station that controls the plurality of wireless LAN networksystems in a centralized manner, each of the plurality of wireless LANnetwork systems comprising at least two access point sections accessedby the radio terminal apparatus that transmits/receives a radio signalthrough a radio section and a gateway apparatus that relaystransmission/reception of data signals and control signals between theaccess point sections, the center station comprising a center stationgateway apparatus that relays transmission/reception of data signals andcontrol signals between the gateway apparatuses of the plurality ofwireless LAN network systems, the authentication server comprising anaccess authentication section that performs access authentication whenthe radio terminal apparatus accesses a predetermined access pointsection of each of the wireless LAN networks and a cryptographic keydistribution section that distributes cryptographic keys of a radiosection through which the radio terminal apparatus accesses each gatewayapparatus of each of the wireless LAN networks all together.

According to this configuration, it is possible to perform accessauthentication during access of the radio terminal apparatus anddistribute the cryptographic key in the radio section all together, anddistribute the cryptographic key to each gateway apparatus of each ofthe wireless LAN networks.

Furthermore, the gateway apparatus according to a still furtherembodiment of the present invention is a gateway apparatus in each ofthe wireless LAN networks in a wireless LAN access authentication systemin a network system comprising a plurality of wireless LAN networksystems and a center station that controls the plurality of wireless LANnetwork systems in a centralized manner, each of the plurality ofwireless LAN network systems comprising at least two access pointsections accessed by the radio terminal apparatus thattransmits/receives a radio signal through a radio section, the centerstation comprising a center station gateway apparatus that relaystransmission/reception of data signals and control signals between thegateway apparatuses of the plurality of wireless LAN network systems andan authentication server that performs access authentication of theradio terminal apparatus which has accessed the access point section anddistributes cryptographic keys used for encryption of a radio sectionthrough which the access-authenticated radio terminal apparatus carriesout communication to the radio terminal apparatus and the access pointsection, the gateway apparatus comprising a transmission/receptionsection that transmits/receives the data signals and the control signalsto/from the center station gateway apparatus of the center station, anaccess control section that controls the situation of access of theradio terminal apparatus to the authentication server within eachwireless LAN network and checks the presence/absence of access of theradio terminal apparatus to the authentication server when the radioterminal apparatus moves to a communication area of a new access pointsection and a cryptographic key control section that controlscryptographic keys distributed from the authentication server throughthe access control section and distributes, when it is confirmed thatthe radio terminal apparatus which has moved to the communication areaof the other access point section has already accessed theauthentication server, the cryptographic key for the radio sectionthrough which the radio terminal apparatus carries out communication tothe radio terminal apparatus and the new access point section in thearea to which the radio terminal apparatus has moved.

In this configuration, the access control section of the gatewayapparatus controls the situation of access of the radio terminalapparatus in each of the wireless LAN networks to the authenticationserver. When the radio terminal apparatus moves to the communicationarea of a new access point section, the access control section can checkthe presence/absence of access of this radio terminal apparatus to theauthentication server. Furthermore, when it is confirmed that the radioterminal apparatus has already accessed the authentication server, thegateway apparatus can distribute the cryptographic key of the radiosection to the radio terminal apparatus and the new access point sectionin the area to which the radio terminal apparatus has moved through thecryptographic key control section. Therefore, according to thisconfiguration, it is possible to shorten the time required for theauthentication procedure accompanying the movement of the radio terminalapparatus, simplify handover of the radio terminal apparatus to the newaccess point section, drastically reduce the authentication signalingnumber between each of the wireless LAN networks and the center stationand realize effective utilization of frequency bands in a transmissionpath.

Furthermore, in the gateway apparatus according to a still furtherembodiment of the present invention, the access control section includesa control section that controls an access amount of at least one of anaccess time or communication packet amount of the radio terminalapparatus and requests the radio terminal apparatus for reauthenticationat the time at which the access amount has reached a predeterminedamount.

This configuration allows the control section to request the radioterminal apparatus for reauthentication when the access amount hasreached a predetermined amount, making it possible to update thecryptographic key in the radio section through which this radio terminalapparatus carries out communication. Therefore, this configurationprevents an illegal radio terminal apparatus from making spoofed accessby decrypting the cryptographic key.

Furthermore, the radio terminal apparatus according to a still furtherembodiment of the present invention is a radio terminal apparatus usedin a wireless LAN access authentication system in a network systemcomprising a plurality of wireless LAN network systems and a centerstation which controls the plurality of wireless LAN network systems ina centralized manner, each of the plurality of wireless LAN networksystems including at least two access point sections accessed by theradio terminal apparatus transmitting/receiving a radio signal through aradio section and a gateway apparatus that relays transmission/receptionof data signals and control signals between the access point sections,the center station comprising a center station gateway apparatus thatrelays transmission/reception of data signals and control signalsbetween the gateway apparatuses of the plurality of wireless LAN networksystems and an authentication server that performs access authenticationon the radio terminal apparatus which has accessed the access pointsection and distributes the cryptographic key used for encryption of theradio section through which the access-authenticated radio terminalapparatus carries out communication to the radio terminal apparatus andthe access point section, the radio terminal apparatus comprising aninformation card in which ID information is recorded when accessauthentication is performed by the authentication server of the centerstation.

According to this configuration, the ID information recorded in theinformation card (e.g., SIM card or UIM card) of the radio terminalapparatus is used as the authentication ID during access authenticationof the radio terminal apparatus. Therefore, even when the user changesthe type of the radio terminal apparatus, this configuration preventsthe authentication ID from being changed during access authentication ofthis user, and can thereby control the user ID and billing on the userin a centralized manner

This application is based on the Japanese Patent Application No.2003-137830 filed on May 15, 2003, entire content of which is expresslyincorporated by reference herein.

INDUSTRIAL APPLICABILITY

The present invention is applicable to a wireless LAN accessauthentication system of a radio terminal apparatus in a network systemwhich integrates a plurality of wireless LAN network systems having atleast two access point sections accessed by the radio terminal apparatusthrough a radio section.

1. A wireless LAN access authentication system in a network systemcomprising a plurality of wireless LAN network systems and a centerstation that controls said plurality of wireless LAN network systems ina centralized manner, each of said plurality of wireless LAN networksystems comprising at least two access point sections accessed by aradio terminal apparatus that transmits/receives a radio signal througha radio section and a gateway apparatus which relaystransmission/reception of data signals and control signals between saidaccess point sections, said center station comprising a center stationgateway apparatus that relays transmission/reception of data signals andcontrol signals between the gateway apparatuses of said plurality ofwireless LAN network systems and an authentication server that performsaccess authentication on said radio terminal apparatus which hasaccessed said access point sections and distributes cryptographic keysused for encryption of a radio section through which saidaccess-authenticated radio terminal apparatus carries out communicationto said radio terminal apparatus and said access point section, saidwireless LAN access authentication system comprising: an access controlsection provided for each of said plurality of wireless LAN networksystems for controlling the situation of access of said radio terminalapparatus in the own communication area to said authentication serverand checking the presence/absence of access of said radio terminalapparatus to said authentication server when said radio terminalapparatus moves to a communication area of a new access point section;and a cryptographic key control section provided for each of saidplurality of wireless LAN network systems for controlling cryptographickeys distributed from said authentication server and distributing, whensaid access control section confirms that said radio terminal apparatuswhich has moved to the communication area of the other access pointsection has already accessed said authentication server, thecryptographic key for said radio section through which said radioterminal apparatus carries out communication to said radio terminalapparatus and said new access point section in the area to which saidradio terminal apparatus has moved.
 2. The wireless LAN accessauthentication system according to claim 1, wherein said access controlsection and said cryptographic key control section are arranged in saidgateway apparatus.
 3. The wireless LAN access authentication systemaccording to claim 2, wherein said access control section comprises acontrol section that controls at least one access amount of an accesstime of said radio terminal apparatus or communication packet amount andrequests said radio terminal apparatus for reauthentication when saidaccess amount reaches a predetermined amount.
 4. The wireless LAN accessauthentication system according to claim 1, wherein said radio terminalapparatus comprises an information card which records ID information anduses the ID information recorded in said information card as anauthentication ID at the time of access authentication of said radioterminal apparatus.
 5. A wireless LAN access authentication method in anetwork system comprising a plurality of wireless LAN network systemsand a center station that controls said plurality of wireless LANnetwork systems in a centralized manner, each of said plurality ofwireless LAN network systems comprising at least two access pointsections accessed by a radio terminal apparatus that transmits/receivesa radio signal through a radio section and a gateway apparatus whichrelays transmission/reception of data signals and control signalsbetween said access point sections, and said center station comprising acenter station gateway apparatus that relays transmission/reception ofdata signals and control signals between the gateway apparatuses of saidplurality of wireless LAN network systems and an authentication serverthat performs access authentication on said radio terminal apparatuswhich has accessed said access point sections and distributescryptographic keys used for encryption of a radio section through whichsaid access-authenticated radio terminal apparatus carries outcommunication to said radio terminal apparatus and said access pointsection, said wireless LAN access authentication method comprising: anaccess control step of controlling the situation of access of said radioterminal apparatus in each of said wireless LAN network systems to saidauthentication server and checking the presence/absence of access ofsaid radio terminal apparatus to said authentication server when saidradio terminal apparatus moves to a communication area of a new accesspoint section; and a cryptographic key control step of controllingcryptographic keys distributed from said authentication server anddistributing, when it is confirmed in said access control step that theradio terminal apparatus which has moved to the communication area ofthe other access point section has already accessed said authenticationserver, the cryptographic key for the radio section through which saidradio terminal apparatus carries out communication to said radioterminal apparatus and said new access point section in the area towhich said radio terminal apparatus has moved.
 6. A gateway apparatus ineach of wireless LAN networks in a wireless LAN access authenticationsystem in a network system comprising a plurality of wireless LANnetwork systems and a center station that controls said plurality ofwireless LAN network systems in a centralized manner, each of saidplurality of wireless LAN network systems comprising at least two accesspoint sections accessed by a radio terminal apparatus thattransmits/receives a radio signal through a radio section, said centerstation comprising a center station gateway apparatus that relaystransmission/reception of data signals and control signals between thegateway apparatuses of said plurality of wireless LAN network systemsand an authentication server that performs access authentication on saidradio terminal apparatus which has accessed said access point sectionand distributes cryptographic keys used for encryption of a radiosection through which said access-authenticated radio terminal apparatuscarries out communication to said radio terminal apparatus and saidaccess point section, said gateway apparatus comprising: atransmission/reception section that transmits/receives said data signalsand said control signals to/from the center station gateway apparatus ofsaid center station; an access control section that controls thesituation of access of said radio terminal apparatus to saidauthentication server within each of said wireless LAN networks andchecks the presence/absence of access of said radio terminal apparatusto said authentication server when said radio terminal apparatus movesto a communication area of a new access point section; and acryptographic key control section that controls said cryptographic keysdistributed from said authentication server through said access controlsection and distributes, when it is confirmed that said radio terminalapparatus which has moved to the communication area of the other accesspoint section has already accessed said authentication server, saidcryptographic key for the radio section through which said radioterminal apparatus carries out communication to said radio terminalapparatus and the new access point section in the area to which saidradio terminal apparatus has moved.
 7. The gateway apparatus accordingto claim 6, wherein said access control section comprises a controlsection that controls an access amount of at least one of an access timeor communication packet amount of said radio terminal apparatus andrequests said radio terminal apparatus for reauthentication at the timeat which said access amount has reached a predetermined amount.
 8. Aradio terminal apparatus used in a wireless LAN access authenticationsystem in a network system comprising a plurality of wireless LANnetwork systems and a center station which controls said plurality ofwireless LAN network systems in a centralized manner, each of saidplurality of wireless LAN network systems comprising at least two accesspoint sections accessed by a radio terminal apparatustransmitting/receiving a radio signal through a radio section and agateway apparatus that relays transmission/reception of data signals andcontrol signals between said access point sections, said center stationcomprising a center station gateway apparatus that relaystransmission/reception of data signals and control signals between thegateway apparatuses of said plurality of wireless LAN network systemsand an authentication server that performs access authentication on saidradio terminal apparatus which has accessed said access point sectionand distributes the cryptographic key used for encryption of the radiosection through which said access-authenticated radio terminal apparatuscarries out communication to said radio terminal apparatus and saidaccess point section, said radio terminal apparatus comprising aninformation card in which ID information is recorded when accessauthentication is performed by said authentication server of said centerstation.